NIS2 Executive Management: Training Obligation & Liability 2025

Let's be honest: yet another EU law on IT security probably wasn't at the top of your wish list. But since 13 November 2025, it's clear:
The German Bundestag has passed the NIS2 Implementation Act, the new cybersecurity law for Germany.

Shortly afterwards, the Bundesrat (Federal Council) also approved it. The political decision has been made: NIS2 is set, the amended BSI Act is coming, and its entry into force now only depends on promulgation and the effective date stated in the law.

What this means for you:
Cybersecurity is now explicitly no longer a purely IT matter. It becomes a leadership responsibility, with obligations, training requirements and personal liability for executive management.

Most decision-makers are currently grappling with exactly these questions:

• Am I or is my company even affected by NIS2?
• Who counts as "executive management" in the legal sense: just the managing director, or also authorised signatories, division heads, C-level?
• What exactly does the NIS2 executive management training require?
• How often do I need training, and who checks this?
• What happens if we ignore the topic or put it off "until later"?

In this article, you'll get a clear overview without legal jargon:

• what NIS2 is and why so many companies are suddenly affected,
• who counts as executive management under the law,
• what obligations arise from Section 38 of the amended BSI Act (BSIG n.F.),
• what specific training content the BSI expects for executive management,
• what risks and fines are at stake for violations,

What is NIS2, and why does it suddenly affect you directly?

The NIS2 Directive (Directive (EU) 2022/2555) is the successor to the original NIS Directive and is intended to establish a uniformly high level of cybersecurity across the EU. It has been in force at EU level since 16 January 2023 and must be transposed into national law by all Member States.

Germany has now completed this transposition with the NIS2 Implementation Act. The Bundestag passed the law on 13 November 2025, and the Bundesrat has approved it; entry into force follows upon promulgation and the date specified therein.

The big difference from before:

• Under NIS1, mainly traditional critical infrastructure operators (e.g. energy, water, major healthcare providers) were affected.
• Under NIS2, the circle of regulated companies is massively expanded: estimates suggest around 29,500 companies in Germany.

Affected are companies across 18 sectors in total, including:

• Energy, transport, healthcare, drinking water supply
• Financial market infrastructure, banks, insurance
• Digital infrastructure, data centres, cloud and managed services
• Postal and courier services, waste management, manufacturing of critical goods
• Providers of digital services and platforms

Important: This is not just about critical infrastructure. Many SMEs are entering a regulated cybersecurity world for the first time through NIS2, often because they meet certain size criteria or are part of critical supply chains.

Typical thresholds include:

• at least 50 employees or
• more than EUR 10 million annual turnover

combined with membership of one of the relevant sectors.

So if you are, for example, a mid-sized IT company, offer a SaaS service, supply critical industries, or operate digital infrastructure, there is a high probability that NIS2 affects you directly or indirectly, and thus you personally as a decision-maker.

And that's exactly where the NIS2 executive management training comes into play.

Who counts as "executive management" and is therefore subject to the training obligation?

The NIS2 training obligation is directed not at "the IT department" but explicitly at executive management. In the new BSI Act, this term is defined very specifically:

Executive management refers to any natural person who,
on the basis of law, articles of association or partnership agreement, is appointed to manage the affairs and represent an important or particularly important entity (e.g. managing directors, board members).

In practice, this typically means:

• Managing directors (GmbH, UG, etc.)
• Members of the management board (AG, SE, etc.)
• Managing partners, general partners
• C-level roles such as CEO, CFO, COO, CIO, CISO/CSO, if they hold executive management functions
• Potentially authorised signatories or senior individuals who effectively bear executive management responsibility

The NIS2 executive management training therefore does not just concern "the one managing director" but often a group of individuals within the company leadership.

For you as a company, this means:

• Think broadly about who in the organisation counts as executive management.
• Document specifically who falls under the definition.
• Plan the training for all individuals who belong to this group; when in doubt, include one person too many rather than one too few.

Because the training obligation is tied to the function, not to the title on the business card.

What does Section 38 of the amended BSI Act specifically require of executive management?

The central pivot point for you is Section 38 of the amended BSI Act (BSIG n.F.). This provision translates NIS2 into clear management obligations, making cybersecurity officially a component of the organisational duty of care of executive management.

At its core, you need to remember four points:

1. You are responsible for risk management

Executive management must ensure that the company has implemented appropriate technical and organisational measures for IT security, and that these are continuously monitored and further developed. This includes:

• Risk analyses and assessments
• Processes for handling security incidents
• Concepts for business continuity and emergency preparedness
• Backup and recovery concepts
• Measures to protect against cyberattacks (patch management, access control, encryption, etc.)

Important: You cannot simply delegate this responsibility downwards. You can transfer tasks, but not the responsibility for ensuring the overall system is adequate.

2. You must undergo regular training

Section 38 of the amended BSI Act requires that members of executive management regularly participate in training in order to:

• recognise and assess risks in the field of cybersecurity,
• understand common risk management practices,
• and be able to assess the impact of risks and measures on the services and business processes you provide.

In the legislative justification and in BSI documentation, the guideline is:
at least every three years a training session, on average about four hours, depending on the risk situation, company context and prior knowledge. In the event of significant changes (e.g. new business models, M&A, new IT landscape, major increase in threats, or change in executive management), shorter intervals may be required.

This is not about a one-off "mandatory seminar" but about a recurring format that keeps you and your leadership team up to date.

3. You must be able to prove training participation

Participation in executive management training will in future be subject to proof. This means:

• You must document who was trained when and to what extent.
• These records should be stored in a structured and audit-proof manner.
• The BSI or other competent bodies can request this documentation in the course of audits or in the event of incidents.

A "We did something at some point, I just can't find the paperwork right now" will not suffice here.

4. You bear a personal liability risk

Particularly relevant from the perspective of managing directors and board members:
Section 38 establishes a corporate law internal liability. This means:

If you culpably breach your duties on cybersecurity (e.g. fail to introduce appropriate measures, neglect training, ignore gross deficiencies), you can be held personally liable for resulting damages, in addition to any fines against the company.

With NIS2, the topic of IT security has definitively arrived in the league of compliance, data protection and financial reporting, including personal risk for decision-makers.

What does the BSI expect in a NIS2 executive management training session?

The Federal Office for Information Security (BSI) has outlined in its guidance on NIS2 executive management training what content, from the supervisory perspective, should be included in such a format.

The training for executive management should cover three levels:

1. Fundamentals: context, obligations, roles

The starting point is a shared understanding:

• What is NIS2, and how was it transposed in Germany?
• Which companies are classified as "important" or "particularly important entities"?
• What role does the BSI play as the supervisory authority?
• What obligations apply to the company (registration, reporting obligations, risk management)?
• What obligations apply to you personally as executive management (including training obligation, liability)

The goal is that, after the fundamentals block, you can answer:

• "Are we affected?"
• "What obligations do we have as an organisation?"
• "What obligations do I personally have?"

2. Core content: risk, measures, impacts

The legislator explicitly names three competency areas that you should master:

a) Recognising and assessing risks
You don't need to be able to analyse malware, but you should:

• know typical cyber threats (e.g. ransomware, phishing, insider threats, supply chain attacks),
• be able to roughly classify their probability of occurrence and damage potential for your business model,
• and understand how IT risks translate into business risks (e.g. production downtime, reputational damage, contractual penalties).

b) Understanding risk management measures
At management level, you should know:

• what technical and organisational measures exist (from access management to emergency handbooks),
• what the legally defined minimum catalogue of measures under Section 30(2) of the amended BSI Act covers (e.g. risk analyses, incident management, business continuity, cryptography, supply chain security),
• how these measures interact and what investment vs. risk reduction they offer,
• and what strategies for risk treatment exist (avoid, mitigate, transfer, accept), and where acceptance is simply no longer permissible.

c) Assessing the impact of risks and measures
Finally, you should:

• be able to assess the impact of a security incident on the availability, confidentiality and integrity of your services and processes,
• understand how security measures (or the lack thereof) influence your resilience, revenue and reputation,
• and be capable of making informed decisions based on this assessment (e.g. prioritisation of measures, budget decisions, acceptance thresholds).

In short:
After the training, you should be able to ask the right questions, classify risks and make conscious decisions, not from gut feeling or "because IT suggested it."

3. Supplementary: sector specifics, scenarios, exercises

The BSI recommends supplementing training with practice-oriented elements:

• sector-specific threat landscapes (e.g. healthcare vs. manufacturing vs. cloud provider),
• relevant standards and frameworks (e.g. ISO 27001, sector-specific security standards),
• scenarios and case studies, ideally from your own sector or organisation,
• short tabletop exercises in which you work through as a team how you would respond to an incident.

Because ultimately, it's not about slides but about making you more confident in real-world decisions.

What risks do you face if you ignore NIS2 and the training obligation?

NIS2 is not just a "nice to have" but is backed by a rather sharp sanctions regime.

If you sit out the topic or only tick boxes pro forma, you risk:

1. Heavy fines

For violations of NIS2, the authorities, in Germany particularly the BSI, can impose fines of up to

• EUR 10 million or 2% of global annual turnover (for particularly important entities)
• or EUR 7 million or 1.4% of turnover (for important entities)

whichever amount is higher.

This is comparable to the GDPR, and for many companies, existentially threatening.

2. Personal responsibility & liability

If, as a managing director, board member or other member of executive management, you fail to fulfil your duty to establish appropriate risk management and undergo training, you can be accused of organisational fault.

This opens up:

• internal liability claims (e.g. from the company against you as an officer),
• potentially even criminal risks in extreme cases (e.g. grossly negligent endangering of critical infrastructure).

NIS2 expressly aims to hold individuals in leadership positions accountable, not just abstractly "the organisation."

3. Supervisory measures and reputational damage

The BSI receives expanded audit and intervention powers under the new law.

If the following are missing:

• proper registration,
• documented risk management,
• or evidence of training and measures,

the authority can not only impose fines but also issue orders, demand remediation and initiate audits.

On top of that:
A security incident where it turns out that you were clearly under-regulated (no incident plan, no training, no minimum measures) is not just a legal problem but also a massive reputational issue, with customers, partners, banks, insurers and potentially the media.

4. Insurance and contractual risks

Cyber insurers and major clients are increasingly paying attention to whether a company demonstrably implements appropriate security measures.

Missing NIS2 compliance can lead to:

• insurers reducing or refusing claims in the event of damage,
• customers imposing stricter contractual security requirements or switching providers,
• lost tenders because you are "not audit-ready."

Why right now is the right time to act

You might say: "We'll wait until everything is 100% final and then see."
The problem: It's actually already too late for that.

The legal situation is politically settled

• The NIS2 Directive has long been in force at EU level.
• The German implementation act was passed by the Bundestag and approved by the Bundesrat.

All that remains is:

• promulgation in the Federal Law Gazette and
• the specific entry-into-force date (expected late 2025 / early 2026).

So today you can already plan on a very stable basis.

It's not just about legal text, but about structures

Between "We know NIS2 is coming" and "We are truly NIS2-ready" lie:

• Impact analysis (do we fall under NIS2? As important or particularly important?)
• Gap analysis against the new requirements
• Building/expanding risk management
• Revising processes, contracts and reporting chains
• Planning and conducting executive management training
• Documentation and evidence management

This takes time. Anyone who only starts at the point of entry into force will have a hard time credibly demonstrating they were "appropriately prepared."

Training capacity will become scarce

The closer the entry into force, the more companies will try to get their executive management trained at short notice. Realistically, this will mean:

• bottlenecks with good providers,
• hectic last-minute formats,
• and the risk that training is perceived more as a "mandatory appointment" than as a strategic lever.

Those who plan now can:

• tailor content in a structured way to their own company,
• identify roles clearly,
• and set up training as part of a strategic security agenda, not as an isolated measure.

Two practical scenarios: how NIS2 works in everyday life

To make all of this more tangible, let's look at two typical scenarios that are frequently played out in NIS2 training sessions.

Example 1: Ransomware at a mid-sized manufacturing company

A mechanical engineering company with 200 employees (making it "important" within the meaning of NIS2) falls victim to a ransomware attack:

• Production facilities go down,
• the ERP system is encrypted,
• attackers threaten to publish sensitive customer data.

What do NIS2 and the new BSI Act now require of executive management?

• Within 24 hours of becoming aware of the incident:
  an early warning notification to the BSI.
• After 72 hours:
  a more detailed report with initial analyses.
• No later than one month:
  a final report on the cause, impacts and measures taken.

A trained executive management team has:

• adopted an incident response plan,
• clearly allocated responsibilities,
• defined communication lines (internal/external),
• had regular emergency drills conducted,
• and knows how to evaluate the trade-off "pay ransom vs. backup/rebuild."

As a managing director or board member, you then don't have to improvise but can rely on previously made decisions, and justify them to the BSI, supervisory board and stakeholders.

Example 2: Vulnerability in a hospital's supply chain

A hospital (categorised as "particularly important") learns that a service provider operating building technology and access control systems has had a critical security vulnerability exploited.

A trained executive management team has:

• classified suppliers by criticality,
• contractually agreed on security requirements,
• established a procedure for assessing supply chain risks,
• and jointly with CISO/IT defined clear processes for such reports.

Instead of hectic ad-hoc reactions, management can:

• isolate systems in a targeted manner,
• take temporary measures to maintain operations,
• fulfil reporting obligations to the BSI and, where applicable, data protection authorities,
• and proactively communicate with patients, the public and partners.

Precisely this interface competency, between business, technology, law and communication, is what NIS2 demands of executive management. And that is exactly what a good NIS2 executive management training aims for.

What you should do now, specifically

If you've read this far, NIS2 very likely affects you directly, or at least through your supply chain. What can you do now without immediately getting lost in the detail?

1. Clarify whether you are affected

• Check whether you belong to one of the NIS2-regulated sectors.
• Check employee numbers and turnover thresholds.
• If in doubt, bring in legal or specialist expertise. The classification is not trivial, but it is decisive.

1. Identify executive management

• List all individuals who, under law/articles of association/partnership agreement, qualify as executive management.
• Think of special cases (e.g. authorised signatories with de facto management responsibility).

1. Assess the current state of risk management

• Is there already an information security strategy?
• How mature are risk, emergency and reporting processes?
• Which standards (ISO 27001, etc.) do you already use?

1. Plan the NIS2 executive management training

• Put the topic on the agenda of the management board/executive committee.
• Plan a training format that covers both legal obligations and practical decision-making situations.
• Set an interval straight away (e.g. every three years) and ensure proper documentation.

1. Build documentation & demonstrability

• Record training sessions, decisions and measures in a traceable manner.
• Remember: if something happens later, you will need to show that you fulfilled your responsibilities.

1. See the topic as an opportunity

• NIS2 is uncomfortable, no question.
• But strengthened cybersecurity is also a business asset:
  fewer outages, more trust, a better position in tenders and audits.

Conclusion:
The NIS2 executive management training is not a tedious mandatory seminar but a central building block for ensuring that, as a decision-maker in an increasingly digital and uncertain world, you can steer responsibly, with liability protection and future-readiness.

The sooner you actively address the topic, the sooner a risk becomes a strategy and resilience lever, for you personally, for your organisation, and for everyone who depends on your services.